I am unable to make user groups in GCP using terraform: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/cloud_identity_group
There is a warning about using the application default credentials:
If you are using User ADCs (Application Default Credentials) with this resource, you must specify a billing_project and set user_project_override to true in the provider configuration. Otherwise the Cloud Identity API will return a 403 error. Your account must have the serviceusage.services.use permission on the billing_project you defined.
I am using the Application Default Credentials.
Here is the error I get when I try to terraform apply my code:
Error: Error creating Group: googleapi: Error 403: Your application has authenticated using end user credentials from the Google Cloud SDK or Google Cloud Shell which are not supported by the cloudidentity.googleapis.com. We recommend configuring the billing/quota_project setting in gcloud or using a service account through the auth/impersonate_service_account setting. For more information about service accounts and how to use them in your application, see https://cloud.google.com/docs/authentication/. If you are getting this error with curl or similar tools, you may need to specify 'X-Goog-User-Project' HTTP header for quota and billing purposes. For more information regarding 'X-Goog-User-Project' header, please check
https://cloud.google.com/apis/docs/system-parameters.
│ Details:
│ [
│ {
│ "@type": "type.googleapis.com/google.rpc.ErrorInfo",
│ "domain": "googleapis.com",
│ "metadata": {
│ "consumer": "projects/764086051850",
│ "service": "cloudidentity.googleapis.com"
│ },
│ "reason": "SERVICE_DISABLED"
│ }
│ ]
│
│ with google_cloud_identity_group.group,
│ on groups.tf line 10, in resource "google_cloud_identity_group" "group":
│ 10: resource "google_cloud_identity_group" "group" {
│
As you can see, it is a 403 error, just like in the warning. I had also already tried enabling the api by following these instructions: https://cloud.google.com/identity/docs/how-to/setup So I'm fairly certain the enabling of the API is not the actual issue, I believe the issue is what the terraform documentation warned about.
The warning says to specify billing_project and set user_project_override to true, but I don't know where to do that. As a guess I tried putting them as arguments to my terraform script but it didn't work (kind of expected because they weren't listed as arguments in the terraform documentation)
$ terraform apply
╷
│ Error: Unsupported argument
│
│ on groups.tf line 14, in resource "google_cloud_identity_group" "group":
│ 14: billing_project = var.project_id
│
│ An argument named "billing_project" is not expected here.
╵
╷
│ Error: Unsupported argument
│
│ on groups.tf line 15, in resource "google_cloud_identity_group" "group":
│ 15: user_project_override = true
│
│ An argument named "user_project_override" is not expected here.
My code:
variable "domain_name"{
type = string
default = "martiantower.com"
}
variable "customer_id"{
type = string
default = "C00yc5oid" # See: https://apps.google.com/supportwidget/articlehome?hl=en&article_url=https%3A%2F%2Fsupport.google.com%2Fa%2Fanswer%2F10070793%3Fhl%3Den&assistant_id=generic-unu&product_context=10070793&product_name=UnuFlow&trigger_context=a
}
resource "google_cloud_identity_group" "group" {
display_name = "my-identity-group"
parent = "customers/${var.customer_id}"
# billing_project = var.project_id # Not an actual argument
# user_project_override = true # Not an actual argument
group_key {
id = "my-identity-group@${var.domain_name}"
}
labels = {
"cloudidentity.googleapis.com/groups.discussion_forum" = ""
}
}
I assume I'm supposed to set the billing_project and user_project_override via the gcloud cli commands, but I don't know the commands for it.
Any idea how to set the billing_project and user_project_override?
You have to set those values in Google Provider Configuration, not in google_cloud_identity_group.